Procedures for Backing Up the Registry Database

1. Enter the registry disable command to set the master replica to the maintenance state. The following command sets the master registry in the cell giverny.com to maintenance state:

dcecp> registry disable /.../giverny.com/subsys/dce/sec/oddball
dcecp>

Setting the master replica to the maintenance state causes the master to save its database to disk and refuse all updates.

2. Back up the master registry by backing up either the entire volume or the dcelocal/var/security/rgy_data tree (the registry) and the dcelocal/var/security/.mkey file, which is the file that contains the master key used to encrypt all keys in the registry. Note that, because the dcelocal/var/security/.mkey file contains the master key, restoring a backup of the registry database is useless unless the dcelocal/var/security/.mkey file is also restored.

The exact commands that are used for the backup are a matter of personal preference. However, if you write both the database and the master key file to the same tape, store the tape in a locked area with restricted access. Alternatively, you can write the database and the key file to separate tapes and store each tape in a different location.

3. When the backup completes, take the master replica out of maintenance state, as follows:

dcecp> registry enable /.../giverny.com/subsys/dce/sec/oddball
dcecp>

The security server resumes accepting updates.

Note that the previous examples supplied the name of the registry master site to the registry enable and registry disable commands. If you do not supply a registry site name, the commands use the site named in the _s(sec_) variable. If this variable is not set, the commands use the master registry of the machine's default cell. See Setting the _s(sec) Variable for more information.